Skip to main content

Over 4000 Android Apps Expose Millions Of Users' Data via Misconfigured Firebase Databases

Over 4000 Android Apps Expose Millions Of Users' Data via Misconfigured Firebase Databases

Security researcher, Bob Diachenko found that 4,282 Android apps that use Google's Firebase are leaking users' personal sensitive data includes their usernames, passwords, phone numbers, email addresses, IP addresses, location data, and chat messages.

Bob Diachenko also found that around 4.8% of Android apps are not properly secured due to misconfiguration and that allows anyone to access database which contains users' private sensitive information without a password or any other type of authentication.

Google's Firebase is a popular mobile and web application development platform. It offers various functionality like analytics, databases, file storage, authentication, fix issues, in-app messaging, and etc. Google's Firebase services used by 30% of all Android apps.

Misconfigured apps cover education, entertainment, games, travel, local, and business categories. Also, these misconfigured apps found to be installed by 4.22 B times by users. If users use one of the misconfigured apps then it may pose a risk to the user's security and privacy.

Firebase is also a cross-platform tool and because of that researcher said that the misconfigurations are also impacting iOS and web apps as well.

The exposed data includes :

1) Usernames : 44,00,000+
2) Passwords : 10,00,000+
3) Full Names : 1,83,00,000+
4) Phone Numbers : 53,00,000+
5) Email Addresses : 70,00,000+
6) Street Addresses : 5,60,000+
7) GPS Data : 62,00,000+
8) IP Addresses : 1,56,000+
9) Chat Messages : 68,00,000+

Over 4000 Android Apps Expose Millions Of Users' Data via Misconfigured Firebase Databases

Security researchers analyzed around 1,55,066 Firebase apps and found that 11,730 apps had publicly exposed databases and out of 11,730 apps 9,014 apps even included write permissions and because of that, an attacker can inject malicious data into an app, spread malware, and corrupt the application database.

Out of 11,730 exposed apps, 4,282 apps leaked users' personal sensitive data. An attacker can easily find, view, and download the contents of exposed databases in JSON format by simply appending "/.json" to the end of a database URL (Ex. https://project-name.firebaseio.com/.json).

Over 4000 Android Apps Expose Millions Of Users' Data via Misconfigured Firebase Databases

Google removes these exposed Firebase database URLs from its search results. However, these exposed Firebase databases are still indexed by other search engines like Bing, Yahoo, etc.

Leaving a database without a password is an open invitation for attackers. So, It is recommended to app developers that don't store a password in plain text, prevent unauthorized access, and implement proper firebase database rules.

It is also recommended to the users that be aware of what information you share with an app, and use only reputable and trusted apps after checking reviews.

If you have any questions related to Firebase data leak and also want to share your views on this then please mention in the comments box and I will get back to you and stay tuned with my blog.
Labels:

Comments

  1. MgregchiJune 1, 2020 at 5:08 PM

    Hello, I want to know how to check if my credentials has been breached.
    I use firebase a lot for many things, so how can I check if it has been breached. Thanks

    ReplyDelete
  2. SEOSeptember 7, 2020 at 1:32 PM

    I think this is an informative post and it is very useful and knowledgeable. therefore, I would like to thank you for the efforts you have made in writing this article. hikedatabase.com/united-states/hiking-in-rhode-island/

    ReplyDelete

Post a Comment

Popular posts from this blog

How To Check If a Link Is Safe To Click

Many times, we share links among our friends on social media platforms like WhatsApp, Facebook, Instagram or Twitter. But do we know how safe they are? What can happen if you click on any malicious link? We never think of the following things : Links can drop various harmful programs, viruses on your device Links can steal your personal data by dropping spyware or keyloggers Use your browser for crypto mining which will affect your device's performance Even if your device is secured with antivirus, not all of them warn you before clicking such malicious links . And the moment you click on these, they will become big trouble for you. This can sometimes even be dangerous with regard to data security and identity theft. So, Be careful about what you click on. These days one of the quickest growing security issues is ransomware , which is often spread by the user unintentionally clicking dangerous links in emails, social media platforms, messengers, and other tool
145 comments
Read more

How To Enable WhatsApp Fingerprint Lock Feature on Android

WhatsApp has officially rolled out the fingerprint lock feature for all the Android users. Most of you may already have been doing it for the last few years with the help of third-party app lockers for adding more security. Keeping that in mind and to make the process quicker and safer at the same time, WhatsApp has now launched this new fingerprint lock feature so that you can open the app by your fingerprint. It means that regardless of whether the phone is opened, others won't have the option to gain access to the messages without your fingerprint. So, you can now secure your WhatsApp conversations with an extra layer of biometric security . With this step, WhatsApp is finally offering biometric authentication to the Android app, while iPhone users enjoying both the Touch ID that is the fingerprint recognition and Face ID that is the facial recognition since the month of February 2019. WhatsApp is also giving more options with the new fingerprint lock featur
50 comments
Read more

TikTok Secretly Sent Users Private Data & PII Number to Chinese Server Including Draft Videos

The popular Android and iOS short-videos creating app, TikTok hit with a lawsuit claims that the app illegally and secretly transfers app's users' private sensitive data and Personally Identifiable Information (PII) to Chinese servers. TikTok which is a 15-second short-video creating app especially popular among the younger generation and also downloaded over 1.3 Billion times worldwide . TikTok remains top in the most downloaded app list for months on the Apple App Store and Google Play Store.  According to the lawsuit, Tiktok shared the user's created videos which include private acts and closeups of user's faces (biometric data) before the videos are saved on the app. TikTok provides many options includes the next button, close button, and button for effects to its users while recording the video. Here, the next button takes users to the screen that shows these two options : "post" and "save".  After clicking on the "next" button, Tik
76 comments
Read more